[Mimedefang] Re: filtering swen
Matt Cramer
mscramer at armstrong.com
Thu Sep 25 13:38:00 EDT 2003
On Wed, 24 Sep 2003, Matt Cramer wrote:
> This worm is driving me nuts, because it flys totally under SpamAss's
> radar. So I thought I'd write some custom rules:
[...]
> Here are the headers from a message I received where the above rules did
> not change the score:
> Now, if I save this message, and run it through spamassassin -D I get a
> match on SWENVIRUS3 (which is in the body). So spamassassin itself can
> see the rules. Interestingly, if I take the message body text, and send
> it ALONE, then mimedefang processes it correctly and gives it the
> appropriate spam score:
[...]
> The Bayes rule appears, as well as my custom SWENRULE. So whatever is
> happening, it seems that perhaps the mime headers, or the way MD
> processes the parts, is causing it to miss on the custom rules (as well as
> Bayes). One thing I already confirmed is this is NOT caused by a
> limitation on message size in MD. First, I have it set to 200K as the
> limit, plus if I do bypass MD calling the SpamAss routines I don't insert
> any SpamAss headers at all, and as you can see above, the original SWEN
> message *IS* getting processed by SpamAss from MD.
>
> Any ideas? I would like to use SpamAss to catch these since I can
> combine a bunch of custom rules to raise the score above the threshold. I
> am hesitant to just drop any messages with "critical Update" etc. in the
> Subject, as that will likely drop legitimate mail here.
I upgraded to SpamAss 2.60 and my problem went away. There must have been
a pre-2.60 bug in SA's code for dealing with MIME and multiparts of this
sort.
Sorry for the wasted bandwidth.
Matt
--
Matthew S. Cramer <mscramer at armstrong.com> Office: 717-396-5032
Infrastructure Security Analyst Fax: 717-396-5590
Armstrong World Industries, Inc. Cell: 717-917-7099
More information about the MIMEDefang
mailing list